iHost – Terms and Conditions

Users need to fulfil the following requirements when they use the iHost service to host their websites or applications (collectively referred as “websites” as follows).

Role and Responsibilities

A business owner (or project owner) owns the iHost account and the website contents or data that the account is hosting. Besides defining all business requirements of the websites, a project owner also needs to appoint a technical owner (or a vendor) to help take care of the technical requirements imposed by iHost services.

Policies and Guidelines

iHost account owners should observe and follow the policies and guidelines below.

Cybersecurity Requirements

Review the Cyber Security Policy and ensure the hosted websites and their data fulfill the requirements whenever appropriate. Specifically,
- Risk Assessment, Classification and Mitigation
- Minimum Security Standard for Applications
High-risk applications or data are not allowed in iHost.
Register your production websites in CITARS http://itsc.ust.hk/cyber-security/citars. Review and update the record regularly if it has already been registered in CITARS.
Work with ITSO to resolve website vulnerabilities as soon as possible when a cybersecurity breach or threat has been identified.
If you are outsourcing your websites to vendors, please make sure your vendor has a maintenance plan for the entire lifespan of your websites. Refer to the following page for a quick summary of items that your vendor need to pay attention to.
/services/cyber-security/application-things-to-note

Health-check Scanning and Security Vulnerabilities

Before launching your websites for production, a health-check scanning is recommended.
- More information about the Web Application Health-check is at
  http://itsc.ust.hk/services/cyber-security/web-application-health-check-scanning
  
  (Notes: If your websites are developed by vendors, they are required to carry out health-check scanning by themselves and resolve any important security vulnerabilities with high or moderate risk, before requesting the health-check service.)
You are also requested to carry out health-check scanning to your websites after each major update.

Account Renewal & Archival

Hosting accounts will be valid for one year initially. Your departmental Cybersecurity coordinators (CSCs) will receive email notification from ITSO when it is time to renew the website. If your CSCs do not respond to our emails by the deadline listed in the emails, the websites will then be disabled and archived.

In case the websites are no longer needed, please ask your departmental CSCs to inform us to arrange to remove and archive the websites.

Regular Security/ Maintenance, End-of-life Schedule and Migration

iHost servers will be regularly patched for security updates. It would, although it is rare, potentially break some of your programs when applying the security updates. The technical owners (or your vendors) are required to resolve the issues if it happens.

When an iHost server reaches the end of its supported date (i.e. end-of-life date), users having websites on that iHost server will need to migrate their contents to another supported server.

iHost Servers	Support End Date
Webhost5	2019
Webhost6	2021
Webhost7	2023
Webhost8	2025